Secure authentication proxy architecture for a web-based wireless intranet application

ABSTRACT

A method and server system for exchanging data between a wireless electronic device and another computer system. This system allows a wireless electronic device to securely communicate with an Intranet by verifying authentication parameters. The first authentication parameter is the device serial number and a password which authenticates the network connection. The second authentication parameter is a user name and password that authenticates the user&#39;s access to applications on the Intranet. The system uniquely integrates the authentication parameters into every query the wireless device makes to the Intranet to maintain the session between the wireless device and the Intranet. Beneficially, the authentication parameters are not stored on any particular network device and do not burden either the server or the wireless device with maintaining the session. In another embodiment of the present invention, the server system uses a link rewriter service for examining web pages generated by applications of the Intranet to identify links that target any application that is resident on the Intranet. The link rewriter uses a look up table in a database to rewrite the link to include a keyword that designates the targeted application and its Intranet server. The keyword is then used to route links to the Intranet and if a link is not resident on the Intranet, the query will be routed to the Internet.

RELATED APPLICATIONS

This Application is a Continuation of co-pending commonly owned U.S.patent application Ser. No. 10/703,006, Attorney Docket Palm-3685.CON,filed Nov. 05, 2003, to Watson and Stantz, entitled “SecureAuthentication Proxy Architecture for a Web-Based Wireless IntranetApplication,” which in turn was a Continuation of U.S. patentapplication Ser. No. 09/917,391, now U.S. Pat. No. 6,732,105, filed Jul.27, 2001 entitled “Secure Authentication Proxy Architecture for aWeb-Based Wireless Intranet Application” to Watson and Stantz. Bothapplications are incorporated herein in their entirety by reference forall purposes.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to the field of data processing. Morespecifically, embodiments of the present invention relate to providing amethod for a wireless electronic device (e.g., a portable computersystem, a palmtop computer system, cell phone, pager or any other handheld electronic device) to connect with authenticated access to Intranetweb applications.

2. Related Art

Computer systems have evolved into extremely sophisticated devices thatmay be found in many different settings. Computer systems typicallyinclude a combination of hardware (e.g., semiconductors, circuit boards,etc.) and software (e.g., computer programs). As advances insemiconductor processing and computer architecture push the performanceof computer hardware higher, more sophisticated computer software hasevolved to take advantage of the higher performance of the hardware,resulting in computer systems today that are much more powerful thanjust a few years ago.

Other changes in technology have also profoundly affected how people usecomputers. For example, the widespread proliferation of computersprompted the development of computer networks that allow computers tocommunicate with each other. With the introduction of the personalcomputer (PC), computing became accessible to large numbers of people.Networks for personal computers were developed to allow individual usersto communicate with each other. In this manner, a large number of peoplewithin a company could communicate at the same time with a centralsoftware application running on one computer system.

As corporations utilize increasingly distributed and open computingenvironments, the security requirements of an enterprise typically growaccordingly. The complexity of employee, customer and partner access tocritical information, while assuring proper security, has proven to be amajor hurdle. For example, many organizations implement applicationsthat allow their external business partners, as well as their owninternal employees, to access sensitive information resources within theenterprise. In the absence of adequate security measures, an enterprisemay be subject to the risk of decreased security and confidentiality.

As a result, authentication mechanisms are usually implemented toprotect information resources from unauthorized users. Examples ofnetwork security products include firewalls, digital certificates,virtual private networks, and single sign-on systems. Some of theseproducts provide limited support for resource-level authorization. Forexample, a firewall can screen access requests to an application or adatabase, but does not provide object-level authorization within anapplication or database.

Single Sign-On (SSO) products, for example, maintain a list of resourcesan authenticated user can access by managing the login process to manydifferent applications. However, firewalls, SSO and other relatedproducts are very limited in their ability to implement a sophisticatedsecurity policy characteristic of many of today's enterprises. They arelimited to attempting to manage access at a login, or “launch level, ”which is an all or nothing approach that can't implement an acceptablelevel of security that is demanded by businesses supporting Intranets.

FIG. 1A illustrates a prior art system 100 of a palmtop or “palm sized”computer system 104 connected to other computing systems and an Intranetvia a cradle. Specifically, system 100 comprises a palmtop device 104connected to PC 103, which can be a serial communication bus, but couldbe any of a number of well known communication standards and protocols,e.g., a parallel bus, Ethernet, Local Area Network (LAN), and the like.PC 103 is connected to server 101 and database 102 by an authenticatednetwork connection. In the prior art system 100, two authenticationparameters are achieved to provide a secure connection. First, PC 103 isphysically connected to the server 101 to establish a networkconnection. The physical location of PC 103 is usually sufficient forthe network connection to be approved. Secondly, when applications onserver 101 are used, the user of PC 103 must provide a user name andpassword to authorize use. In this configuration, security andauthentication is achieved first on the network level by authenticatingthe user's login name and password or device identification over thenetwork and secondly on the application level by again authenticatingthe users login name and password.

Similarly, FIG. 1B is a prior art system 105 illustrating a palmtopcomputer connected to other computer systems and the Internet via amodem or dial up device. Specifically, palm device 104 is connected tomodem 106, which can be a serial communication bus, but could be of anyof a number of well known communication standards and protocols, e.g., aparallel bus, Ethernet, Local Area Network (LAN), and the like. Modem106 is connected to server 101 and database 102 by an authenticateddial-up network connection. In the prior art system 105, twoauthentication parameters are achieved to provide a secure connection.First, modem 106 must provide a correct user name and password to theserver 101 to establish a network connection. Secondly, whenapplications on server 101 are used, the user of palm device 104 mustprovide a user name and password to authenticate use. In thisconfiguration, security and authentication is achieved first on thenetwork level by authenticating the user's login name and password ordevice identification when the modem makes a connection to the networkand secondly on the application level by again authenticating the userslogin name and password.

In these two configurations, a secure authentication process occurs inwhich two layers of authentication occur. First a network authenticationis processed and secondly, an application authentication occurs. Atleast one of the authentication processes rely on the user supplying auser name and a password and both require network level authentication.

Unfortunately, most wireless communications do not support doubleauthentication. Due to the differences between ECC encryption associatedwith wireless protocol and SSL encryption associated with traditional IPprotocol, security and authentication mechanisms associated with mobileand wireless need to be modified to provide the same level of securityas does the traditional land based communications. For example, mobileand wireless devices often access web servers through Internet gatewaysthat provide no assurance of the identity of a device or user. In otherwords, they provide no network level of security. Intranet securityguidelines for most companies usually require both authentication of adevice to the network and of a user to each application before access tointernal resource can be permitted.

Therefore, there exists a need for a mechanism which allows wirelessdevices to establish secure and authenticated connections toapplications that reside on Intranet networks.

SUMMARY OF THE INVENTION

In accordance with the present invention, a system and method aredisclosed to permit portable wireless devices secure and authenticatedaccess to applications that are on an Intranet server. Embodiments ofthe present invention provide a flexible, inexpensive way for wirelessnetwork users to access Intranet applications while protecting Intranetresources (e.g., enterprise resources) against unauthorized access. Inaddition, the invention does not impose the authentication burden uponindividual applications or require the use of application specificmiddleware or specific mobile application framework.

Embodiments of the present invention include a method and server systemfor exchanging data between a hand-held wireless electronic device andanother computer system. This system allows a wireless electronic deviceto securely communicate with an Intranet by verifying two authenticationparameters to provide network level authentication. The firstauthentication parameter is the device serial number and a passwordwhich authenticates the network connection. The second authenticationparameter is a user name and password that authenticates the user'saccess to applications on the Intranet. In one embodiment of the presentinvention, the system uniquely integrates the authentication parametersinto every query the wireless device makes to the Intranet by adding theparameters to each link that is communicated to the device from theIntranet service. In this configuration, the authentication parametersmaintain the session between the wireless device and the Intranet.Beneficially, the authentication parameters are not stored on anyparticular network device and do not burden either the server or thewireless device with maintaining the session. In another embodiment ofthe present invention, the server system uses a link rewriter servicefor examining web pages generated by applications of the Intranet toidentify links that point to any application that is resident on theIntranet. Once an Intranet link is queried, the link rewriter uses alook up table in a database to rewrite the link to include a keywordthat designates both the targeted application and its Intranet server.If a link is not resident on the Intranet, it will not be rewrittenthereby causing it to be executed/routed over the Internet.

More specifically, the present invention includes a server systemcomprising a network translator for communicating with wirelesselectronic devices and translating between wireless communicationprotocol and IP communication protocol. The server system also containsan Intranet comprising a plurality of Intranet servers, each comprisingapplications. In addition is a proxy server coupled to the networktranslator and Intranet. The proxy server is for routing queriesreceived from the wireless electronic device to an appropriate serverdestination and for routing responses to wireless electronic devices.The proxy server comprises a link rewriter service for examining webpages generated by applications of the Intranet to identify links thatpoint to any application that resides in the Intranet, translating eachidentified link to include a keyword that designates both the targetedapplication and its Intranet server. The proxy server also comprises arouting service for examining queries sent from the wireless electronicdevice and for routing queries with recognized keywords to the Intranetand for routing others to the Internet.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and form a part ofthis specification, illustrate embodiments of the invention and,together with the description, serve to explain the principles of theinvention.

FIG. 1A is a prior art system illustration of a palmtop or “palm sized”computer system connected to other computer systems and the Internet viaa cradle device and having network authorization.

FIG. 1B is a prior art system illustration of a palmtop or “palm sized”computer system connected to other computer systems and the Internet viaa modem or dial-up device and having network authorization.

FIG. 2 illustrates a block diagram of an exemplary wirelesscommunication network environment including a wireless electronic devicein accordance with an embodiment of the present invention.

FIG. 3 is a logical block diagram of an exemplary palmtop computersystem in accordance with an embodiment of the present invention.

FIG. 4 is a flow diagram showing the sequence and pathway of datacommunication over an exemplary wireless communication network inaccordance with an embodiment of the present invention.

FIG. 5 illustrates a system environment in which embodiments of thepresent invention can operate including a mobile wireless electronicdevice and one or more available remotely located resources.

FIG. 6 illustrates a system environment in which embodiments of thepresent device can operate including a proxy server containing one ormore system based applications.

FIG. 7 is a flow diagram illustrating a discovery process of oneembodiment of the present invention for discovering if a query includesa recognized link for Intranet data accessing and routing the queryaccordingly.

FIG. 8 is a flow diagram illustrating a link rewriting process of oneembodiment of the present invention for rewriting specific links tospecify the Intranet server(s).

FIG. 9 is a flow diagram illustrating a registration process of oneembodiment of the present invention for registering a device to havenetwork access on the network gateway.

FIG. 10 is an illustration of a keyword look up table used in oneembodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Reference will now be made in detail to the preferred embodiments of theinvention, examples of which are illustrated in the accompanyingdrawings. While the invention will be described in conjunction with thepreferred embodiments, it will be understood that they are not intendedto limit the invention to these embodiments. On the contrary, theinvention is intended to cover alternatives, modifications andequivalents, which may be included within the spirit and scope of theinvention as defined by the appended claims. Furthermore, in thefollowing detailed description of the present invention, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. However, it will be obvious toone of ordinary skill in the art that the present invention may bepracticed without these specific details. In other instances, well knownmethods, procedures, components, and circuits have not been described indetail as not to unnecessarily obscure aspects of the present invention.

Notation and Nomenclature

Some portions of the detailed descriptions that follow are presented interms of procedures, logic blocks, processing, and other symbolicrepresentations of operations on data bits within a computer memory.These descriptions and representations are the means used by thoseskilled in the data processing arts to most effectively convey thesubstance of their work to others skilled in the art. A procedure, logicblock, process, etc., is here, and generally, conceived to be aself-consistent sequence of steps or instructions leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated in a computersystem. It has proven convenient at times, principally for reasons ofcommon usage, to refer to these signals as bits, bytes, values,elements, symbols, characters, terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the followingdiscussions, it is appreciated that throughout the present invention,discussions utilizing terms such as “setting,” “storing,” “scanning,”“receiving,” “sending,” “disregarding,” “entering,” or the like, referto the action and processes (e.g., processes 700, 800 and 900) of acomputer system or similar intelligent electronic computing device, thatmanipulates and transforms data represented as physical (electronic)quantities within the computer system's registers and memories intoother data similarly represented as physical quantities within thecomputer system memories or registers or other such information storage,transmission or display devices.

Although the server system of the present invention may be implementedin a variety of different electronic systems such as a pager, a mobilephone, a calculator, a portable electronic device, a personal digitalassistant (PDA), etc., one exemplary embodiment includes the serversystem with a portable computing system. It should be understood thatthe descriptions corresponding to FIGS. 1-4 provide some generalinformation about an exemplary portable computing system.

FIG. 2 is a block diagram of an exemplary network environment 200including an exemplary portable electronic system 201 (e.g., a personaldigital assistant). The personal digital assistant 201 is also known asa palmtop or palm-sized electronic system. The personal digitalassistant 201 has the ability to transmit and receive data andinformation over a wireless communication interface. The personaldigital assistant 201 is one exemplary implementation on which thepresent invention can operate. The present invention can operate withmost portable electronic system/device having wireless communicationcapabilities.

Base station 202 is both a transmitter and receiver base station whichcan be implemented by coupling it into an existing public telephonenetwork 203. Implemented in this manner, base station 202 enables thepersonal digital assistant 201 to communicate with a proxy servercomputer system 205, which is coupled by wire 204 to the existingtelephone network 203. Furthermore, proxy server computer system 205 iscoupled to the Internet 507 or with Intranet 508, thereby enabling thepersonal digital assistant to communicate with the Internet 507 or withan Intranet 508. It should be appreciated that within the presentembodiment, one of the functions of the proxy server 205 is to performoperations over the Internet 507 on behalf of the personal digitalassistant 201. For example, proxy server 205 has a particular Internetaddress and acts as a proxy device for the personal digital assistant201 over the Internet 507. It should be further appreciated that otherembodiments of a communications network may be utilized in accordancewith the present invention.

The data and information which are communicated between base station 202and the personal digital assistant 201 are a type of communication anddata that can conventionally be transferred and received over a publictelephone wire network system. However, a wireless communicationinterface is utilized to communicate data and information between thepersonal digital assistant 201 and the base station 202. It should beappreciated that one embodiment of a wireless communication system inaccordance with the present invention is the Cingular wirelesscommunication system.

FIG. 3 is a block diagram of exemplary circuitry of portable computingsystem 201 in accordance with one embodiment of the present invention.The computer system 201 includes a central processor for processinginformation and instructions. It is appreciated that central processorunit 301 may be a microprocessor or any other type of processor. Thecomputer system 201 also includes data storage features such as avolatile memory 303 (e.g., random access memory, static RAM, dynamicRAM, etc.) for storing information and instructions for the centralprocessor 301 and a non-volatile memory 302 (e.g., read only memory,programmable ROM, flash memory, EPROM, EEPROM, etc.) for storing staticinformation and instructions for the processor 301. Computer system 201may also include an optional data storage device 304 (e.g., thin profileremovable memory) for storing information and instructions. It should beunderstood that device 304 may be removable. Furthermore, device 304 mayalso be a secure digital (SD) card reader or equivalent removable memoryreader.

Also included in computer system 201 of FIG. 3 is an alphanumeric inputdevice 306 which in one implementation is a handwriting recognition pad(“digitizer”) and may include integrated push buttons in one embodiment.Device 306 can communicate information (spatial data and pressure data)and command selections to the central processor 301. The coordinatevalues (spatial information) and pressure data are then output onseparate channels for sampling by the processor 301. In oneimplementation, there are many different discrete levels of pressurethat can be detected by the digitizer 306.

System 201 of FIG. 3 also includes an optional cursor control ordirecting device 307 for communicating user input information andcommand selections to the central processor 301. In one implementation,device 307 is a touch screen device (also a digitizer) incorporated withscreen 305. Device 307 is capable of registering a position on thescreen 305. The digitizer of 306 or 307 may be implemented using wellknown devices, for instance, using the ADS-7846 device by Burr-Brownthat provides separate channels for spatial stroke information andpressure information.

Computer system 201 also contains a flat panel display device 305 fordisplaying information to the computer user. The display device 305utilized with the computer system 201 may be a liquid crystal device(LCD), cathode ray tube (CRT), field emission device (FED, also calledflat panel CRT), plasma or other display technology suitable forcreating graphic images and alphanumeric characters recognizable to theuser. In one embodiment, the display 305 is a flat panel multi-modedisplay capable of both monochrome and color display modes.

Also included in computer system 201 of FIG. 3 is a signal communicationdevice 308 that may be a serial port (or USB port) for enabling system201 to communicate PC 103. As mentioned above, in one embodiment, thecommunication interface is a serial communication port, but could alsoalternatively be of any of a number of well known communicationstandards and protocols, e.g., parallel, SCSI, Ethernet, FireWire (IEEE1394), USB, etc. including wireless communication.

In one implementation, the Cingular wireless communication system may beused to provide two way communication between computer system 201 andother networked computers and/or the Internet (e.g., via a proxyserver). In other embodiments, transmission control protocol (TCP) canbe used or Short Message Service (SMS) can be used.

FIG. 4 is a block diagram of a communication pathway in accordance withthe present invention. In the present embodiment, the device is awireless device 201; however, it is appreciated that the wireless devicemay be another type of intelligent electronic device. FIG. 4 illustratesthe flow of data starting with a wireless device 201. From wirelessdevice 201, the data is transmitted to base station 202 where it entersthe existing telephone network 204. From the existing telephone network204, data is transmitted over wire to translation server 404. Thetranslation server 404 is necessary because wireless communicationsnetworks operate using a series of wireless protocols and the proxyserver 205 communicates using IP protocol. Accordingly, to transfer datafrom a wireless device 201 to the proxy server 205 network, thecommunication protocol must be converted by the translation server 404from wireless protocol to IP protocol. Once the data is converted to IPprotocol, the data is sent to proxy server 205 where it then may enterthe Intranet 508.

FIG. 5 illustrates a system environment 500 including a mobile wirelesselectronic device 201 and an Intranet 508 coupled to a proxy server 205,a protocol translator 404 and the Internet 507. Portal launcher 503 isan application that resides on portable wireless electronic device 201and aids in connecting to the network gateway. The launcher 503 providesauthentication parameters to the browser 502. Browser 502 is verysimilar to a web browser or “mini-browser” used to browse web pages onthe Internet. Browser 502 is used to browse wireless communicationsreceived on wireless electronic device 201. When Portal launcher 503executed, an authenticated connection is required to gain a networkconnection. In the case of one embodiment of the present invention, theserial number belonging to the wireless electronic device 201 inaddition to a security password is used to authenticate the networkconnection on the first message. When the browser application 502 isexecuted, the portable electronic device 201 transmits the serial numberand password via browser 502 to protocol translator 404 and proxy server205.

Proxy server 205 checks with a database in LDAP 509 to validate that theportable electronic device 201 is a registered user of the network. Ifthe serial number of the portable wireless device 201 is a registereduser of the network, the password must match the record in LDAP 509 tosecure a network connection. If the serial number of the portableelectronic device 201 and/or the password do not match the LDAP 509database, the device 201 will not be authenticated to use the network508. If the records in LDAP 509 match the provided authenticationparameters, the device 201 will be allowed to communicate over thegateway.

In one embodiment of the present invention, an approved network user hasthe capability to register a device that is not currently registeredwith LDAP 509. On the portable electronic device 201, there is anapplication named register 504. This application allows the user toregister a device on LDAP 509 by supplying a user name and password. Ifthe user name and password that are supplied match the user name andpassword stored in network authentication table 511, the serial numberof the device will then be updated in LDAP 509 as a registered device ofthe network. If the user name and password do not match the record innetwork authentication table 511, the device 201 will not be registeredas an authenticated device on the network. This is described in moredetail in FIG. 9.

Now referring to FIG. 6 which represents a system 600 illustrating thecomponents of proxy server 205 that include link rewriter 604, serveruser authenticator 605, router 606, server authentication adder 607 andkeyword table 608. In FIG. 6, proxy server 205 is coupled to translationserver 404, Intranet 508 and the Internet 507. System 600 includes auniquely intelligent active proxy server 205 designed to operate betweena web client device (or gateway representing such a device) and anon-Internet accessible corporate network (“Intranet”) 508 containingone or more web servers 609. Proxy server 205 accepts authenticationparameters provided by wireless device 201 as a query or form parameterin HTTP. The authentication parameters could include, but are notlimited to, the serial number of wireless device 201 and a password. Theauthentication parameters are the basis of the authenticated session andevery authenticated query must contain the authentication parameterseither as GET query parameters or form variables to maintain a session.Server user authenticator 605 checks the authentication parametersagainst an internal LDAP 509 database which maps user-names toauthorized serial numbers, and permits only queries with validauthentication parameters.

Proxy server 205 also efficiently examines and potentially alters everyURL found in content returned from internal web servers 609 so that eachURL hosted with the Intranet 508 appears relative to proxy server 205when viewed on wireless device 201. When content returned from Intranet508 (from the wireless device) contains URLs, link rewriter 604 onlyrewrites links that target the Intranet 508. Links that reside onInternet 507 will be routed by router 606 to Internet 507. Router 606 isresponsible for recognizing links that reside on Intranet 508 androuting them to link rewriter 604.

When Link rewriter 604 receives a web page from the Intranet 508, itexamines links therein. When the rewriter 604 sees a link that targetsthe Intranet 508, it looks to keyword table 608 to match the path of thelink's URL to the appropriate table URL to rewrite the link with. Therewritten link then includes a keyword that designates the applicationand the Intranet server that hosts the application. Keyword table 608contains a database of appropriate keywords for the links (applications)that reside on Intranet 508. When prompted by link rewriter, the keywordtable uses the URL in the link as an index and locates a correspondingkeyword and rewrites the URL in the returned rewritten link. Therewritten link uses the keyword to point to the correct application andserver on Intranet 508. This feature makes the link rewriting processseamless to the user of wireless device 201.

Server authentication adder 607 appends the original authenticationparameters to each link in any returned content, causing anauthenticated session state to persist between queries. Beneficially,server authentication adder 607 maintains an authenticated sessionwithout requiring any storage of session state in the application or inproxy server 205. The session state is stored in the queries betweenwireless device 201 and proxy server 205.

FIG. 7 is a flow diagram illustrating a process 700 of link rewritingand routing for links received from a wireless electronic device, e.g.,a “query.” In FIG. 7, in the first step 701, the translator serverreceives a query from wireless device 201. The query (containing alink), is translated from wireless communications protocol (andencryption) to IP protocol (and encryption) in the second step 702. Oncetranslated, the query is checked by the proxy server 205 using LDAP 509to determine if the device 201 is a registered device and the suppliedpassword is correct 703. If device 201 is not registered, a networkconnection will not be established. If the user is an authorized user,they will then have the option of registering the device usingregistration application 504. If the authentication parameters areauthenticated, a network connection will be established and the proxyserver 205 will examine the query to see if it contains a link having arecognized keyword 704. Keywords are used to determine if a link targetsthe Intranet or the Internet.

Proxy server 205 then completes the step 704 of checking if the queryincludes a link having a recognized keyword. Recognized keywords arestored in keyword look up table 608 that contains the appropriatekeyword and the corresponding file path to the server on the Intranet.At step 705, if a link includes a recognized keyword, the query isrouted to the Intranet 508 not the Internet 507. At step 706, if thequery does not contain a recognized keyword, the query is routed to theInternet 507. At step 707, once a query containing a recognized keywordis routed to the Intranet 508, keyword look up table 608 obtains thecorresponding file path of the URL to the recognized keyword in thekeyword look up table 608. The link can now be rewritten with thecorresponding top level pathway to the correct application and webserver on the Intranet. At step 708, once the link has been rewritten,the query is routed to the appropriate Intranet web server 609 andapplication.

FIG. 8 represents a flow diagram of the link rewriting process 800 forrewriting specific links to specify the correct web server. The linkrewriting process 800 begins when proxy server 205 receives a web pageresponse from an application 801 of the Intranet and the web page isscanned for links 802. At step 803, the proxy server 205 decides whetherthe links point to a server on the Intranet 508 or on the Internet 507.If a link does not target on the Intranet 508, at step 804 and step 806,the link is not rewritten and is routed to the Internet. If the linkcontains a recognizable path to the Intranet 508 and the link resides ona server on the Intranet 508, at step 805, the proxy server 205 uses thekeyword table to rewrite the link to specify a particular keywordcorresponding to the correct application and server on the Intranet.Once the link has been rewritten, proxy server 205 adds theauthentication parameters, originally attached to the initial query thatgenerated the web page, to the link 806. The query is then routed to thetranslator server for wireless communication with the electronic device807. In this configuration, the authentication parameters maintain thesession between the wireless device and the Intranet. Beneficially, theauthentication parameters are not stored on any particular networkdevice and do not burden either the server or the wireless device withmaintaining the session.

When the user of the wireless device clicks on a rewritten linkcontaining a recognized keyword, the proxy server decides where totarget the link (e.g., to the Intranet) by using the keyword look uptable to find the pathway that corresponds to the recognizable keyword.With the corresponding pathway, the query is routed to the correct webserver on the Intranet. Without a keyword, the query is forwarded overthe Internet.

FIG. 9 represents a flowchart 900 of the process of registering a devicewith the LDAP database. When an authorized user desires to establish anetwork connection between the Intranet and a wireless device notregistered as an authorized network device, they have the option toregister the device with the LDAP database of the Intranet. At step 901,when a query from a wireless device is received at the translationserver 404, it is translated from wireless communication protocol to IP902. The query is then checked for authentication parameters before anetwork connection can be established 903. The authentication serverlooks to the LDAP server to see if the device is authorized 904. At step908, if the serial number of the device and the password match therecord in LDAP, the connection in established and the user will haveaccess to the Intranet 508. If the device is not registered,authentication will fail and the device will not establish a networkconnection with the Intranet 508.

At any point, the user has the option to register the device if they area registered user of the Intranet. A registration application can beused to register the device. The registration application transmits aquery to the proxy server 205. The query contained the device serialnumber, a login name and a password. The authentication parameters arechecked against network authentication table 511. At step 905, if thelogin name and password match the record in network authentication table511, the serial number will be added in the network authenticationtables and the device will now be a registered device. If the login nameand password do not match the network authentication table record forthe user, access will be denied and the device will not be registered asan authorized device 907.

FIG. 10 illustrates a keyword look up table 608 that is used to rewritelinks that target web servers on an Intranet. As mentioned above, thelink rewriting process begins when proxy server 205 receives a web pageresponse from an application of the Intranet and the web page is scannedfor links. The proxy server 205 determines whether the link targets aserver on the Intranet 508 or on the Internet 507. If a link does nottarget an application on the Intranet 508, the link is not rewritten. Ifthe link contains a recognizable path to the Intranet 508 from thekeyword look up table and the link originated on a server on theIntranet 508, the proxy server 205 rewrites the link to specify aparticular keyword (from the key word look up table) corresponding tothe file path and replaces the path with the recognized keyword 805. Therewritten link is then returned to the wireless device. The keyword lookup table contains keywords and corresponding pathways for all links andapplications that reside on the Intranet web servers.

As such, keyword table 608 contains individual entries each havingkeywords and associated file paths, e.g., keyword 1001 is associatedwith filepath 1002, ect. For exemplary entries are shown in FIG. 10.

The preferred embodiment of the present invention, a proxy server systemfor providing portable wireless devices authenticated access to anIntranet, is thus described. While the present invention has beendescribed in particular embodiments, it should be appreciated that thepresent invention should not be construed as limited by suchembodiments, but rather construed according to the following claims.

The foregoing descriptions of specific embodiments of the presentinvention have been presented for purposes of illustration anddescription. They are not intended to be exhaustive or to limit theinvention to the precise forms disclosed, and obviously manymodifications and variations are possible in light of the aboveteaching. The embodiments were chosen and described in order to bestexplain the principles of the invention and its practical application,to thereby enable others skilled in the art to best utilize theinvention and various embodiments with various modifications as aresuited to the particular use contemplated. It is intended that the scopeof the invention be defined by the Claims appended hereto and theirequivalents.

1. A server system comprising: a network translator for communicatingwith wireless electronic devices and translating between a wirelesscommunication protocol and an IP communication protocol; an Intranetcomprising a plurality of Intranet servers, each Intranet servercomprising applications; a proxy server coupled to said networktranslator and said Intranet and for routing queries received from saidwireless electronic devices to an appropriate server destination andalso for routing responses to said wireless electronic devices, saidproxy server comprising: a link rewriter service for examining web pagesgenerated by applications of said Intranet to identify links that pointto any application that is resident in said Intranet, said link rewriterservice also for translating each identified link to include a keywordthat designates both the targeted application and its Intranet server;and a router service for examining queries sent from said wirelesselectronic devices and for routing queries with recognized keywords tosaid Intranet and for routing others to the Internet.
 2. A server systemas described in claim 1 wherein said proxy server also comprises anauthentication adder service for adding authentication parameters tosaid links that target any application that is resident in saidIntranet.
 3. A server system as described in claim 1 further comprisinga keyword database in which each recognized keyword has an associatedURL that specifies an Intranet server and an application within saidIntranet server.
 4. A server system as described in claim 1 wherein saidproxy server is also coupled to the Internet.
 5. A server system asdescribed in claim 2 wherein said authentication parameters include auser name and a device serial number.
 6. A server system as described inclaim 1 wherein said network translator translates between wirelessprotocol and said IP protocol.
 7. A server system as described in claim1 wherein said proxy server also comprises an authentication userservice for confirming received queries as being associated with anvalid user based on a database of valid user information.
 8. A serversystem comprising: a translator means for communicating with wirelesselectronic devices and translating between a wireless communicationprotocol and an IP communication protocol; a routing means for examiningqueries sent from said wireless electronic devices and for routingqueries with recognized keywords to said Intranet and for routing othersto the Internet; an Intranet comprising a plurality of Intranet servers,each Intranet server comprising applications; a proxy server coupled tosaid translator means, said routing means, and said Intranet, said proxyserver including: link rewriting means for examining web pages generatedby applications of said Intranet to identify links that point to anyapplication that is resident in said Intranet, said link rewriting meansalso for translating each identified link to include a keyword thatdesignates both the targeted application and its Intranet server.
 9. Aserver system as described in claim 8 wherein said proxy server alsocomprises an authentication adder means for adding authenticationparameters to said links that target any application that is resident insaid Intranet.
 10. A server system as described in claim 8 furthercomprising a keyword database in which each recognized keyword has anassociated file path that specifies an Intranet server and anapplication within said Intranet server.
 11. A server system asdescribed in claim 8 wherein said proxy server is also coupled to theInternet.
 12. A server system as described in claim 9 wherein saidauthentication parameters include a user name and a device identifyingnumber.
 13. A server system as described in claim 8 wherein saidtranslator means translates between ECC wireless protocol and said IPprotocol.
 14. A server system as described in claim 8 wherein said proxyserver also comprises an authentication user means for confirmingreceived queries as being associated with an valid user based on adatabase of valid user information.
 15. In a server system, a method ofcommunicating with wireless electronic devices comprising the steps of:a) receiving a web page representing a response to a query sent by awireless electronic device, said web page generated by an applicationresiding in an Intranet that comprises a plurality of Intranet servers,each having applications; b) identifying links within said web page thatpoint to any application of said Intranet; c) for links identified instep b), rewriting each identified link to include a keyword thatdesignates both the targeted application and its Intranet server; d)routing rewritten links to an appropriate wireless electronic device;and e) for queries received by said server system and sent by saidwireless electronic devices, routing those queries having a recognizedkeyword to said Intranet and otherwise routing received queries to theInternet.
 16. A method as described in claim 15 wherein said step c)further comprises the step of adding authentication parameters to linksgenerated from said applications of said Intranet server.
 17. A methodas described in claim 16 wherein said authentication parameters includea user name and a device serial number.
 18. A method as described inclaim 16 further comprising a keyword database in which each recognizedkeyword has an associated URL that specifies an Intranet server and anapplication within said Intranet server.
 19. A method as described inclaim 18 wherein said step e) further comprises the steps of: analyzingsaid queries for keywords that match a keyword database; replacingrecognized keywords with the corresponding file pathways from saidkeyword database; and routing said links to appropriate applications ofsaid Intranet as indicated by said file pathways.
 20. A method asdescribed in claim 15 further comprising the step of performing aprotocol translation on received queries between an ECC wirelessprotocol and said IP protocol.